PCI Council to increase guidance for point-to-point encryption, hospitality industry

The PCI Council plans on developing a validation program for point-to-point encryption

Michael Mitchell is no stranger to the PCI Security Standards Council. He’s been with the Council since its inception six years ago and is the newly minted chairman of the executive committee. He also keeps a day job as the VP of global network operations for American Express.

So it’s Amex’s turn to lead the council in what Bob Russo – GM of the PCI Security Standards Council – says is a wholly undemocratic process whereby each card issuer takes a yearly turn in occupying the executive committee’s top slot.

Mitchell says 2012 is a “feedback year” for stakeholders in the payment card industry, as PCI DSS 2.0 went into effect at the beginning of 2011. It’s also the first time the revision process embarks on its revised three-year lifecycle process, with 2011 reserved for implementation, 2012 for feedback, and 2013 slated for revisions.

What’s New for 2012

“This year we will be working very closely with our members, who will provide feedback on their thoughts and ideas to make enhancements and improvements to the standards”, said Mitchell, who added that anyone is able to comment on the standards. The PCI chairman said the Council will be engaging with the entire payment card community throughout 2012 to help steer the revision process in 2013.

The formation of PCI special interest groups (SIGs) administered by the Council itself will also be new for 2012. As previously reported by Infosecurity, in order to streamline their efforts, the Council will oversee the SIG process of developing recommendations for further guidance, clarification and possibly modification of PCI standards. As Mitchell relayed, the SIGs will focus on three priority areas that were voted on by the PCI stakeholder community: cloud computing, e-commerce security, and risk assessment. The SIG’s, he continued, will examine these three areas and “make recommendations back to the Council throughout the 2012” revision period.

The PCI chair said the Council also plans on developing a validation program that will go beyond its recently published standards for point-to-point encryption. “This year the Council is looking at how we can develop a program to validate vendor solutions for encryption”, Mitchell revealed. Once the product is validated against the standards, the Council plans on publishing this information on its website for merchants to consult, much the same why it has for PCI-approved payment applications and point-of-sale devices.

“It will go a long way in reducing the overall scope of payment data that has to be assessed by security assessors”, he added. “It will make complying with the [PCI point-to-point encryption] standard simpler, easier, faster and, in some cases, more cost effective.” He also said that the Council expects to consider a similar validation program for tokenization solutions, but at this point the research is preliminary.

Responding to PCI’s Critics

PCI compliance can be likened to a trip to the dentist – nobody wants to do it, but everyone has to. “And you have to [comply with PCI] because it’s good for you”, PCI GM Bob Russo jokingly added. One of the major criticisms of the PCI DSS is that it does not apply to a specific industry, and is therefore too broad.

Russo observed that breaches with large amounts of payment data are fading quickly (thanks to compliance with PCI, he insinuates), and in their place are an uptick in compromises at smaller merchants and franchises, which tend to be less compliant with PCI’s standards.

He acknowledged that the hospitality industry is becoming a larger target for payment data breaches, and it is one vertical that the Council is concentrating on for its outreach efforts. Russo indentified card skimming scams and lack of business owners’ familiarity with the threats and PCI standards as primary reasons that this trend has developed.

It’s not that there is some major problem that specifically affects the hospitality industry, he added. “It’s an education process”, Russo pointed to as a solution. “[Smaller merchants] don’t really understand what PCI is, or why it helps them, until it’s too late.”

Russo reiterated that the PCI runs a microsite for smaller merchants to aid their compliance efforts. He says that the PCI Council is working “several different channels” to get the word out to smaller merchants who are increasingly susceptible to payment data breaches. “This is something that could put you out of business if you are a small business”, he warned.

“Some industries are simply more complicated in their payment models”, Mitchell added, pointing out the hotel industry as one example, due to its vast array of physical locations that take payments. He acknowledged the criticisms of PCI as valid, but said that “PCI is the best payment data protection standard” available.

“If you look at PCI controls that are specified in the requirements, it’s the only thing out there that addresses the entire ecosystem”, Mitchell concluded. “And it works for a hotel chain just as easily as it does for a corner store because it addresses the IT environment, the payment application, and point-of-sale devices.”